Tools / State Rights Lookup

State Privacy Rights Lookup

Find out what privacy protections you have based on where you live.

The US State Privacy-Law Patchwork — What Each Statute Actually Gives You

The United States has no comprehensive federal privacy law, so consumer rights depend entirely on state of residence. As of early 2026, fifteen US states have enacted comprehensive consumer-privacy statutes that grant some combination of access, deletion, correction, portability, and opt-out rights against companies meeting threshold revenue or processing tests. California's CCPA (effective 2020) and CPRA (2023) remain the strongest, granting deletion within 45 days, opt-out from sale and from sharing for cross-context behavioral advertising, sensitive-data limits, and a limited private right of action for breaches involving non-encrypted personal information. Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Minnesota and Maryland have followed with statutes ranging from CCPA-equivalent (Colorado, Connecticut) to narrower business-revenue-gated regimes (Utah, Tennessee).

Most state laws apply to companies meeting one of: $25M+ annual revenue, processing data on 100,000+ residents, or deriving 25%+ of revenue from personal-data sale. Smaller data brokers may technically be exempt, though most volunteer compliance to avoid challenge. Enforcement sits with state attorneys general (CA also has the dedicated CPPA), with civil penalties typically $2,500-$7,500 per violation. Consumers exercise rights by submitting verifiable requests through company portals; companies have 30-45 days to respond. Practical tip from the PrivacyFix editorial team: cite your specific state statute by section in the request (e.g., Cal. Civ. Code § 1798.105 for deletion) — broker compliance teams treat statute-citing requests with markedly higher priority than generic "delete my data" emails. PrivacyFix's deletion-request template generator below produces a pre-filled, statute-citing letter for your state.

Select your state above

We'll show you what privacy rights you have and how to exercise them.

19
States with Laws
6
Universal Opt-Out
1
Private Action
1
DROP Portal

Data current as of February 2026. Laws and effective dates may change.

Privacy Rights by State

Number of consumer privacy rights guaranteed under each state law. California leads with the most comprehensive protections.

Data Sources

  • Official state attorney general websites — Enforcement mechanisms, complaint procedures, and consumer rights summaries for each state law.
  • State legislature bills and enacted statutes — CCPA/CPRA (CA), VCDPA (VA), CPA (CO), CTDPA (CT), UCPA (UT), TDPSA (TX), OCPA (OR), DPDPA (DE), NJDPA (NJ), NHDPA (NH), KCDPA (KY), NDPA (NE), MODPA (MD), MCDPA (MN), RIDPA (RI), ICDPA (IA/IN), TIPA (TN), MCDPA (MT).
  • IAPP (International Association of Privacy Professionals) — US state privacy legislation tracker and comparative analysis.
  • Data current as of February 2026. New states and amendments may not yet be reflected.

Related Guides

CCPA Rights Guide
How to exercise your CCPA rights in California — access, delete, opt-out templates.
California DROP Portal
One-click opt-out from all registered CA data brokers via the DELETE Act portal (Aug 2026).
Data Broker Opt-Out Guide
Works regardless of state — direct opt-out links for 12 priority brokers.

More Privacy Tools

Privacy Audit
Assess your privacy risk level
Opt-Out Tracker
Track your data broker submissions
California DROP Guide
Use the DELETE Act data broker portal

Frequently Asked Questions

What if my state does not have a privacy law?
You can still opt out of most data brokers using their voluntary removal processes. Our Data Broker Opt-Out Guide works regardless of your state. You can also enable Global Privacy Control (GPC) in your browser, which many companies honor even without a legal requirement.
What is a universal opt-out signal?
A universal opt-out signal, like Global Privacy Control (GPC), is a browser setting that automatically tells every website you visit that you do not want your data sold. States like Colorado, Connecticut, Montana, Oregon, Delaware, and New Jersey require businesses to honor this signal.
Can I use another state's privacy law?
Generally, privacy laws apply based on residency. However, if you have a connection to California (work there, own property, or have family), some CCPA rights may apply. In practice, many companies apply their most restrictive compliance policies to all US users rather than checking state by state.
What is the difference between a right to delete and a right to opt out?
The right to delete requires a company to erase your personal data entirely. The right to opt out of sale stops a company from selling your data to third parties going forward, but they can still keep it for their own use. For maximum protection, exercise both rights when available in your state.
How do I file a complaint if a broker ignores my request?
If a data broker does not respond within 45 days, you can file a complaint with your state attorney general's office. In California, you can also file with the California Privacy Protection Agency. Document your original request date, confirmation number, and any correspondence as evidence.